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Method and base chip for monitoring the operation of a microcontroller unit 



The present invention relates to a method of monitoring the operation of at 
least one microcontroller unit that is intended for at least one application and is associated 
with a system. 

The present invention further relates to a base chip, and particularly a system 
5 base chip, for monitoring the operation of at least one microcontroller unit that is intended for 
at least one application, and to an associated system, and particularly a control system. 



In modern-day control units, in automobile electronics for example, it is no 

10 longer usual for use to be made of permanently preprogrammed microcontrollers because the 
fixed preset program means that modifications cannot then be made in the course of ongoing 
volume production or by the end-customer. Motor-vehicle manufacturers are therefore 
increasingly going over to the practice of using so-called volatile memories or flash 
memories in the microcontrollers; volatile memories of this kind allow the program code to 

15 be overwritten at any time, which can be done both in production and in a repair shop, as part 
of an inspection say. . 

Something that is normally felt to be very much of a disadvantage with flash 
memories of this kind is the fact that in principle the possibility exists of the program being 
partly or even totally lost during the life of the motor- vehicle, and hence that the burnt-in 

20 software may crash at some random point. Program crashes of this kind may then mean that a 
control unit can no longer be changed properly to a state in which its current consumption is 
at a reduced level. Hence a vehicle becomes subject to a sustained, raised current 
consumption even in the parked state, i.e. with the ignition switched off, and this discharges 
the vehicles battery and, if the worst comes to the worst, makes the vehicle impossible to 

25 start. 

Because all the control units are interconnected in series, the seriousness of a 
fault of the kind described above may become very great. Via the interconnections, a faulty 
control unit with a defective flash memory may cause the entire motor vehicle to be 
permanently "awake" and in this way may give rise to an extreme power consumption. 

CONFIRMATION COPY 



WO 03/104993 PCT/IB03/02098 

2 

Substantially the same problem is caused by all the other faults of cyclic occurrence that 
cause constant resetting of the control unit, such as a short-circuit in the supply (producing an 
undervoltage caused by the switched on of a load, etc.) or the like. 

In the prior art, attempts are now being made to detect the system behavior by 
means of a so-called "watchdog" (a configurable timer having a clock-signal derived from an 
independent source) within the control unit. What the term "watchdog" is generally 
understood to mean in this connection is a technique that is used to monitor devices, 
connections or software cyclically. If a piece of software is no longer following the ordered 
path laid down by the software, the watchdog is intended to reset the microcontroller and in 
this way to restore the running of the program to its planned course. 

The watchdog is however powerless to help if what repeatedly occurs is that 
there is a crash of the software or a reset, due say to an undervoltage, at some random point 
in the program, the watchdog or undervoltage detector resets the control unit, and it then 
crashes or causes an undervoltage again at a later point in time at the same point in the 
software. What is produced in this way is an endless loop from which the control unit is able 
to escape. 



Taking the disadvantages and shortcomings described above as a point of 
departure and with due allowance for the prior art outlined, it is an object of the present 
invention so to further develop a method of the kind detailed in the first paragraph and a base 
chip of the kind detailed in the second paragraph that the operation of a microcontroller unit 
that is intended for an application and is associated with a serial system of the above kind is 
monitored, so that faulty operation, and particularly faulty operation that causes battery 
discharge, can be reliably avoided. 

This object is achieved by a method having the features specified in claim 1 
and by a base chip having the features specified in claim 5. Advantageous embodiments and 
useful refinements of the present invention are described in the respective sets of dependent 
claims. 

The present invention is therefore based not only on providing a method of 
monitoring but also on providing a system chip giving fault-statistics support. For this 
purpose it is proposed, under the teaching of the present invention, that at least one non- 
volatile memory area that allows the application software to keep fault statistics be provided 
in the application and in particular in the system chip. 
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This memory axea should advantageously be arranged outside the 
microcontroller and should also have an independent supply, so that even short-circuits in the 
supply voltage to the microcontroller will not cause- a loss of the statistical data that has been 
logged. An independently supplied memory area of this kind also allows the microcontroller 
5 to make use in intervening periods of a planned mode of operation in which there is no 
current supply (a so-called "sleep mode"), without losing the statistical data. 

In a particularly advantageous refinement of the present invention, write 
access to the memory area is only permitted if the system starts again after a reset process. In 
this way the possibility can be ruled out of the memory area being accidentally overwritten in 
10 operation by, say, faulty software. Read access on the other hand should always be possible, 
to allow a system diagnosis to be undertaken at any time. 

In both the method and the base chip according to the present invention, it is 
preferably possible for the cause of a reset event to be detected and made available to the 
microcontroller unit when required. In this way, different reset events can be detected and 
1 5 can be dealt with separately. 

If for example the watchdog times out due to a faulty volatile memory, the 
microcontroller is notified of this reset event and the application software stores this 
information in the non-volatile memory area that is provided in accordance with the 
invention. For each reset event of this kind, the software may for example increment this 
20 fault memory and, when some given count is reached, may no longer start normally but may 
go to a fail-safe state in which the current consumption is low. 

In a particularly inventive embodiment, the use of at least one S[ystem] B[ase] 
C[hip] allows both the voltage supply to the microcontroller unit and also the watchdog and 
the reset hardware to be provided with undervoltage detecting facilities. 
25 Within such system base chips that are permanently supplied by the battery, it 

is easy for the prescribed memory area to be implemented in the form of a R[andom] 
A[ccess] M[emory] because voltage is available constantly in this case (giving a cost benefit 
over an Electrically] Erasable] Programmable] R[ead] 0[nly] M[emory]). 

The detection of the reset event may also advantageously take place in the 
30 S[ystem] B[ase] C[hip] and it may be stored there, because the S[ystem] B[ase] C[hip] is 

itself responsible for checking the system reset. Hence, the system base chip may also, in an 
optimum way, perform the locking of the memory bits in the non-volatile memory area, 
because the S[ystem] B[ase] C[hip] itself checks the starting of the system and can block off 
the memory area after a successful start. 
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In accordance with the present invention, all the components required for 
developing a fail-safe system are available to the user. What is particularly advantageous is 
the flexibility of the present approach, because there are no fixed preset automatic functions 
that have to be incorporated in the S[ystem] B[ase] C[hip]. This allows the safety scheme for 
an application to be adapted and adjusted in the optimum manner and to be defined and/or 
scaled by the user in any desired way. 

Finally, the present invention relates to the use of a method of the kind 
described above and/or of at least one base chip of the kind described above for monitoring 
the operation of a microcontroller unit intended for at least one application, in automobile 
electronics and particularly in the electronics of motor vehicles. 

As has already been described above, there are various possible ways in which 
the teaching of the present invention may advantageously be embodied and refined. On the 
one hand, reference can be made in this connection in particular to the claims dependent on 
claims 1 and 5, and on the other, further aspects, features and advantages of the present 
invention are apparent from and will be elucidated with reference to the illustrative 
embodiment shown in Fig. 1 and described hereinafter. 

In the drawings: 

Fig. 1 is a block diagram of an embodiment of system according to the present 
invention having a base chip and a microcontroller unit. 

Shown diagrammatically in Fig. 1 is a control system 100 that, as well as a 
microcontroller unit 300 having a supply unit 310 (providing the VDD supply), a reset unit 
320 and an l[nput]/0[utput] module 330, also has a so-called S[ystem] B[ase] C[hip] 200 for 
monitoring the operation of the microcontroller unit 300, the said microcontroller unit 300 
being intended for an application. 

For this purpose, the system chip 200 has, amongst other things, a non-volatile 
memory area 10 (= a "general purpose memory") by means of which fault statistics relating 
to the operation of the microcontroller unit 300 can be produced and logged. The system chip 
200 permits write access to the freely programmable bits of the memory unit 10 only while 
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the system 100 is starting, in order to prevent faulty write accesses from occurring in 
operation. Read access to the freely programmable bits of the memory unit 10 on the other 
hand is always possible. 

Because the system chip 200 allows a distinction to be made between different 
reset events and the different events to be made accessible to the application controller 300, 
the system chip 200 has an information unit 20 (for reset source information) that is provided 
to allow for different reset events, and a reset unit 40 (for system resets) that is connected to 
the microcontroller unit 300 by a connection 42 (going to the reset unit 320 of the 
microcontroller unit 300). 

To allow information, and particularly fault statistics data, to be exchanged, 
the memory area 10 and the information unit 20 have inserted in front of them an interface 
unit 30 (feeding the l[nput]/0[utput] module 330 of the microcontroller unit 300). 

As is also apparent from what is shown in Fig. 1, the memory area 10 and a 
microcontroller supply unit 50 that is connected to the microcontroller unit 300 by a 
connection 52 have permanently associated with them at least one battery unit 400. Whereas 
the memory bits in the memory unit 10 that are available to the application receive a 
permanent supply from the battery 400, the microcontroller supply unit 50 can be switched 
on and off by means of a switch 54, thus enabling a temporary energy supply to be associated 
with the microcontroller unit 300 via the microcontroller supply unit 50 (supplying the VDD 
supply unit 3 1 0 of the microcontroller unit 300). 

. So, to sum up, it can be said that the system base chip 200 shown in Fig. 1 is 
intended to detect and track cyclic fault situations in Electronic] C[ontrol] U[nits] to prevent 
any sustained high current consumption by the control system 100 from being caused by 
cyclic fault situations of this kind. 

Certain bits (= so-called "general-purpose bits") in a memory unit 10 forming 
part of the system base chip 200, which bits have a continuous supply, then allow the above- 
mentioned fault events to be stored using the application software and the statistical 
information thereby obtained to be kept available, notably even if there is (substantially) no 
power supply to the application controller 300 due to low-energy operation or failure. 

In this connection, a specifically provided log or register in the system base 
chip 200 makes it possible to differentiate between the different fault events and the different 
cyclic problems to be tracked in this way. If a user-defined threshold is exceeded, the 
application can then, in accordance with the invention, decide not to (re)start but to go 
straight to a low-energy mode. 
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LIST OF REFERENCE NUMERALS: 



100 


System, in particular a control system 


10 


Memory area 


20 


Information unit 


30 


Interface unit 


40 


Reset unit 


42 


Connection between reset unit 40 and microcontroller unit 300 


50 


Microcontroller supply unit 


52 


Connection between supply unit 50 and microcontroller unit 300 


54 


Switch of supply unit 50 


200 


Base chip, in particular a system base chip 


300 


Microcontroller unit, in particular an application microcontroller 


310 


Supply unit for microcontroller unit 300 


320 


Reset unit for microcontroller unit 300 


330 


l[nput]/0[utput module of microcontroller unit 300 


400 


Battery unit 



